What I believe that happened in the case of the missuse of our servers is something like. - On server A we have zope running behind Apache as a proxy. Somebody found this out in an unnown (to me) way. - Our c-net was scanned for a MTA and server B was found (which only accepts mail from its own c-net - now the abuser sends http request to A requesting to forward to port 25 on server B. Since these requests ar now from within B's own c-net, they are accepted.
Robert Am Dienstag, 14. Oktober 2003 21:51 schrieb Chris Pelton: > >>/ So, would anybody have any ideas how to determine if this might have > > />>/ been compromised? Or is there a known mail relay exploit through zope > />>/ somehow? I've checked system binaries and everything seems fine. None > of />>/ the python files seem to have been changed since well before the > />>/ relaying started. > / > > >It might help to know the version of zope which you may be able to find > >it in the version.txt file distributed with zope releases. That said, > >there hasn't been a known relay exploit to the best of my knowledge, > >but there are many ways to implement a web application that sends mail > >in zope, and it wouldn't be at all surprising if the implementation of > >your system was vulnerable. > > > >Do you know enough about Zope to discuss the implementation of your > >web application? We can throw out a bazillion ideas but thats a > >painfully slow way to determine what really happened. > > Unfortunately I don't know much about zope. There are several version.txt > files in the tree - > > ./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2, > linux2) > > but there is also a Zope-2.3.3-src directory, although I don't find any > binaries in there that match what look to be the running binaries. > > The thing is, this machine had sendmail configure for no-relay, but there > were several virtual hosts in apache, and the mail was coming from one of > those hosts. I'm thinking they could have just taken advantage of some Zope > functionality, not necessarily a break-in? > > Thanks again, > Chris > > > > > _______________________________________________ > Zope-Dev maillist - [EMAIL PROTECTED] > http://mail.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope ) -- mit freundlichen Gr�ssen Robert Rottermann www.redCOR.ch _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
